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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 



WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
'Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )E3 Responsive to communication(s) filed on 04 September 2007 . 
2a)D This action is FINAL. 2b)K This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) E3 Claim(s) 1-18 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) Kl Claim(s) 7-78 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) IEI The drawing(s) filed on 18 July 2003 is/are: a)[X3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 
Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 3 7 CFR 1. 1 1 4, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR LI 7(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 4 September 2007 has been entered. 

2. Claims 1-18 have been presented for examination. 

Response to Arguments 

3. Applicant's arguments filed 4 September 2007 have been fully considered but they are 
not persuasive. 

4. Contrary to the Applicant's statement on page 5 of the amendment of 4 September 2007, 
claim 6 has not been amended to overcome the 35 U.S.C. 112, 2 nd rejection and the rejection of 
claim 6 has been upheld. 

5. In response to the Applicant's arguments that Lawrence does not teach that a third party 
determines a second party's compliance with certain security features and returns the status of 
the second party's compliance to a first party, the Examiner disagrees. Paragraph 0051 of 
Lawrence discloses: 

[A] subscriber 111 would access the RMC system 106 via a computerized system as 
discussed more fully below. The subscriber would input a description of a risk subject, 
or other inquiry, such as the name of a party attempting to perform a financial 
transaction. 

The Applicant's claimed third party is drawn to the disclosed RMC. Lawrence states at 
paragraph 0032 that "[a]n RMC system 106 gathers and receives information which may be 
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related to risk variables in a financial institution." The subscriber is similar to the Applicant's 
claimed first party, since Lawrence discusses that subscribers, such as those in paragraph 0035, 
can make inquiries about entities that they conduct financial transactions with (paragraphs 0051, 
0062). Finally, the Applicant's limitation regarding the second party is drawn to Lawrence's 
disclosed risk subject, which pertains to a potential party in a financial transaction. 

6. Since Lawrence discloses a third party determines a second party's compliance with 
certain security features and returns the status of the second party's compliance to a first party, 
the rejection is, therefore, maintained. 

7. See further rejections below. 

Claim Rejections - 35 USC § 112 

8. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

9. Claim 6 is rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite for failing 
to particularly point out and distinctly claim the subject matter which applicant regards as the 
invention. Claim 6 recites the limitation "the vendor." There is insufficient antecedent basis for 
this limitation in the claim, and the Examiner will construe "the vendor" to be the "second 
parties" disclosed in claim 1 . 

Claim Rejections - 35 USC §102 

10. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

11. Claims 1-5,8, 11-15, and 18 are rejected under 35 U.S.C. 102(a) and 35 U.S.C. 102(e) as 
being anticipated by U.S. Patent Application Publication No. 2002/0138417. 
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12. As per claims 1 and 18, Lawrence teaches a transaction involving a disclosure of 
confidential information by first parties to second parties (paragraph [0014], i.e. financial 
transaction), requiring the second parties to have adopted security measures with respect to the 
handling of the information and periodically respond to requests of the first parties for assurances 
of the adoption, implementation and observance of the security measures by the second party 
(paragraphs [0002], [0016], [0017]), a method for providing such assurances to the first parties, 
comprising: 

arranging by a third party with a selected number of the second parties to acquire, 
compile and store in a database of said third party, information regarding the adoption, 
implementation, and observation of security measures for each of the selected number of second 
parties (Figures 3 [block 312], 4 [block 410], paragraphs [0031], [0079], i.e. gathers and stores 
information in a database related to a risk assessment of a party involved in a financial 
transaction); 

arranging by said third party with a selected number of the first parties subscription 
services providing the selected number of first parties with assurances of the security measures 
of the selected number of second parties upon request (Figures 1 [block 1 1 1], 2 [blocks 220, 
221], paragraphs [0035], [0037], [0067], i.e. subscriber's request for information); and 
providing by said third party the assurances of the security measures of the selected number of 
second parties to the selected number of first parties upon request (Figures 3 [block 3 19], 4 
[block 418], 5 [block 517] paragraph [0013], [0031], [0032], [0051], [0062], [0088], [0091], 
[0097], see explanation above under heading Response to Arguments). 
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13. Regarding claims 2 and 13, Lawrence teaches updating the security measures information 
stored in the database of said third party for each second party periodically (paragraphs [0079, 
[0094], i.e. ongoing monitoring). 

14. Regarding claim 3, Lawrence teaches updating the security measures information stored 
in the database of said third party upon a notification by a respective second party (paragraphs 
[0031], [0039], i.e. a financial institution can integrate a risk management clearinghouse) and 
verification by a third party (paragraph [0080], i.e. source of risk variable by other provider of 
risk management data, such as a government agency). 

15. Regarding claims 4 and 1 1 , Lawrence teaches wherein the acquisition, compilation and 
storage of the security measures information of the selected number of second parties by said 
third party is performed at no cost to the selected number of second parties (Figures 3 [block 
312], 4 [block 410], paragraphs [0031], [0079], i.e. gathers and stores information in a database 
related to a risk assessment of a party involved in a financial transaction). 

16. Regarding claims 5 and 12, Lawrence teaches wherein the access provided to each client 
is a subscription service of said third party for a fee (Figure 1 [block 1 1 1], paragraph 0035, i.e. a 
subscription service typically includes a fee). 

1 7. As per claim 8, Lawrence teaches a method for providing security information on a 
plurality of vendors to a plurality of clients, comprising: 



Application/Control Number: 1 0/62 1 ,408 Page 6 

Art Unit: 2131 

providing an assessment of security procedures adopted, implemented and observed for 
each of the plurality of vendors by said third party (Figures 3 [block 312], 4 [block 410], 
paragraphs [0031], [0079], i.e. gathers and stores information in a database related to a risk 
assessment of a party involved in a financial transaction); and 

storing each assessment in a vendor security database by said third party (Figures 1 
[block 1 12], 2 [block 210], paragraphs [0031], [0042], [0043], [0054], [0058], [0060]); 

providing access by said third party to the vendor security database to each client to allow 
each client to review the plurality of assessments (Figures 3 [block 319], 4 [block 418], 5 [block 
517] , paragraphs [0063], [0086], i.e. a subscriber will be able to access the database). 

18. Regarding claim 14, Lawrence teaches wherein the assessment is updated whenever the 
vendor updates its security procedures, the updates are verified and provided to the VMS 
(paragraphs [0093], [0094], i.e. RMC monitors for and stores updates). 

19. Regarding claim 15, Lawrence teaches wherein each assessment comprises one or more 
of SAS70 reports, Penetration Reports, Information Security Policies, Computer Incident 
Response Policies, DR Plans, Business Resumption Plans, Insurance Coverages, 3rd Party 
Vendor Management Policies & Programs and Annual Financial Reports (paragraphs [0003]- 
[0005], [0008], [0017], [0035], i.e. SAS 70 reports include the suspicious activity reports 
disclosed in Lawrence). 

Claim Rejections - 35 USC § 103 

20. The text of those sections of Title 35, U.S. Code hot included in this action can be found 
in a prior Office action. 
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21. Claims 6, 7, 9, 10, 16, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lawrence in view of U.S. Patent Application Publication No. 2004/0193907 to Patanella, 
hereinafter Patanella. 

22. Regarding claims 6, 7, 16 and 17, Lawrence does not teach providing a rating for each 
second party based upon a type of the confidential information and the security measures of the 
second party. 

23. Patanella teaches providing a rating for each second party (Figure 7, paragraph [0017], 
i.e. low risk, medium risk, high risk, information risk) based upon a type of the confidential 
information (paragraphs [0069], [0070], i.e. compares to industry average, for example, for 
financial institutions) and the security measures of the second party (paragraphs [0017], [0069], 
[0070], i.e. defining the security levels, such as high risk refers to the system being 
compromised, that requires immediate attention). 

24. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to provide a rating based upon confidential information and/or security measures of 
the vendor, since Patanella states at paragraph [0008] and [0069] that providing a rating allows 
the user to view the most vulnerable systems in a ranking that is cost-efficient and permits the 
user to see which systems require the most attention, as well as suggest possible fixes to patch 
certain vulnerabilities. 

25. Regarding claims 9 and 10, Lawrence does not teach wherein the assessment is provided 
at cost or fee to the vendor. 
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26. Patanella discloses a cost-effective method for assessing a network for compliance with a 
number of regulations, policies, or standards in paragraph [0008]. One of ordinary skill in the 
art would infer that since there is a cost associated with the method, therefore some type of cost 
or fee could be charged to the vendor. 

27. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to charge the vendor, since Patanella states at paragraph [0006] that the reporting 
capabilities of the previous system are immature and require highly technical personnel to 
analyze and make sense out of the results. Therefore, one of ordinary skill in the art would 
recognize the need for a charge to the vendor to pay the technical personnel to translate and 
present the reports to the users in a clear and concise manner. 

Conclusion 

28. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christian La Forgia whose telephone number is (571) 272-3792. 
The examiner can normally be reached on Monday thru Thursday 7-5. 

29. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (57 1 ) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 



Application/Control Number: 10/621,408 



Page 9 



Art Unit: 2131 

30. Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Christian LaForgia 
Patent Examiner 
Art Unit 2131 




